Padlock symbolising WordPress security

How to secure a WordPress website: a beginners tutorial

Home » Tutorials » WordPress » How to secure a WordPress website: a beginners tutorial

By:

Ian Pegg

Published:

Updated:

Another sustained attack against WordPress installations worldwide has just subsided. There has never been a better time to nail down your website security before it’s too late.

I personally hate scare-mongering, but this is the perfect example of a situation where it’s better to act sooner rather than later. So be sure to take these 10 basic steps to secure your WordPress website today!

Many of these quick wins to secure your website are fairly straightforward, but don’t worry if you can’t do them all yourself. It’s better to eliminate some vulnerabilities than none at all.

Whenever making changes to a live website, I’d urge you to err on the side of caution. Seek professional advice if you’re not confident following any of these guidelines and especially if you haven’t done this kind of thing before. A working site is better than a broken one any day!

10 easy steps to secure your WordPress website

These steps are listed in approximate order of importance. The ordering has also been designed to avoid unnecessary duplication of effort:

  1. Take a backup first!
  2. Install the WordFence security plugin
  3. Update WordPress
  4. Remove unused themes
  5. Remove deactivated or unused plugins
  6. Lock down admin privileges
  7. Prevent public account registration
  8. Enforce strong passwords
  9. Set up a backup schedule
  10. Only install plugins from trusted sources

1). Always take a backup first!

Firstly I’d say that before you go any further, you must take a fresh backup of your entire WordPress install (database and files). I’d recommend BackWPUp. This plugin takes a full backup of both your database and files and can push those backups to a remote cloud storage solution such as Dropbox. And best of all? It’s free.

2). Install the WordFence security plugin.

Seriously, if you only do one of the things in this list, do this. Now. Even if you leave it set with the default settings, you’ll still enjoy far superior security protection right off the bat.

Just look at this awe-inspiring graph to see WordFence in action. If you scroll down that page you can read more about how it provides real-time security for your website. And did I mention it’s also free?

3). Update WordPress

This should be a part of your site maintenance routine. WordPress now performs minor core updates automatically. This means you shouldn’t need to worry too much about keeping WordPress itself up to date for security purposes (provided of course that you are running version 3.7 or upwards).

But regardless, you will still need to regularly check for updates to any plugins you’re using, and for your theme too. Again, WordFence comes to the rescue: go to ‘WordFence‘ -> ‘Options‘, enter an email address under ‘Basic options‘, then make sure you have ‘Alert on critical problems‘ checked. WordFence will now email you whenever it detects a plugin or theme is out of date.

If you have more than one theme to update, read the next step too.

4). Remove unused themes

Remove any themes you’re not using. You only need the one that’s currently activated and one of the standard issue Twenty themes by WordPress themselves. That is unless you’re using a child theme in which case you’ll need to keep its parent theme too. Leave this step if you’re not sure — you’re always welcome to give us a shout if you need help.

5). Remove deactivated or unused plugins

Always remove any plugins you’re not using. But don’t just deactivate them — you need to hit ‘delete‘ to remove the plugin completely.

The code inside a deactivated plugin still presents a potential security loophole that hackers can exploit. This is especially true if you’ve fallen into the habit of not updating deactivated plugins.

Try not to have more than between 10 and 15 plugins on your website. Generally, the fewer the better. Besides creating more attack vectors for hackers to exploit, having lots of plugins will also slow down your website.

6). Lock down admin privileges

Remove admin privileges from all users other than the account you use to actually administer your website. Go to ‘Users‘, and delete any user accounts you don’t recognise (be careful here if you run an ecommerce store). If you’re not sure about an account, dial down their privileges to ‘subscriber‘ or ‘customer‘. If they have a legitimate reason to need elevated privileges on your site they’re sure to get in touch with you.

Chances are, your administrator account is still called ‘admin‘ (as it is with many WordPress sites). To fix this, create a new administrator account with a different username and then delete the old admin user account. This will provide better protection against brute force attacks.

Don’t share user logins

If you’ve ever done the unspeakable, and allowed somebody else to use your admin account, change the password immediately. Have a look at step 8 for more guidance. People and user accounts must always have a one-to-one relationship: one account to every one person.

If you want to give somebody access to your WordPress website, create a new user account for them. Only give them the bare minimum privileges they need to get the job done. Never give anybody else your login details, especially not if you have admin privileges yourself.

For example, if somebody is writing a guest post for you, give them ‘author‘ privileges at most. This will allow them to upload images to their post, and submit a draft article for you to review. They won’t be able to publish anything or make any changes to your site. That’s all the access they need.

If you publish blog posts on your website, create a separate ‘editor‘ account for yourself. Don’t publish content using your admin account. It’s easy for hackers to find out the username and user id from any published post. So if you publish using your admin account you’re leaving the door ajar for the bad guys.

7). Prevent public account registration

Do you really want to allow anybody to register with your website? Probably not, unless you run an ecommerce store, forum or similar.

If you don’t want to allow people to register on your site: go to ‘Settings‘ -> ‘General‘, and make sure ‘Anyone can register‘ is unticked.

If you’re allowing visitors to register with your site in order to cut back on spam, at the very least make sure that ‘New user default role‘ is set to ‘subscriber‘ under ‘Settings‘ -> ‘General‘.

8). Enforce strong passwords

When you are creating a new password for a user, WordPress gives you feedback on how strong it thinks the password is. The problem is, it stops just shy of forcing users to actually use strong passwords. You have to do this manually, which does seem a little silly.

WordPress password strength indicator
Don’t just choose a strong password — use it!

So as the administrator of your site, change all user passwords to something you know is strong, or email your users and ask them to do the same.

Use a password generator such as Lastpass to create those passwords, the longer the better.

If you’ve installed WordFence by now, go to ‘WordFence‘ -> ‘Options‘, then make sure ‘Force admins and publishers to use strong passwords‘ is selected.

9). Set up a backup schedule

Okay, so this isn’t technically going to make your website any more secure, but now you’ve got the basics in place, make sure you set up a regular backup schedule. If the worst comes to the worst, and some scruffy little hacker urchin gets inside your site you’ll be glad for all the backups you now have.

Whatever you do, don’t just take one backup and be done with it. Set up a schedule that takes account of how often you add content to your site. I’d suggest setting full weekly backups as a minimum regardless. And be sure to keep a sensible number of backups in your archive: keep the last 12 weeks of backups if you can.

It’s easy to set scheduled backups using BackWPUp, so go back to step one and get the plugin installed if you haven’t already.

10). Only install plugins from trusted sources

Going forward, make sure you only install plugins from trusted sources. As a rule, I only install plugins from within the WordPress plugin dashboard. I know these plugins will come from the trusted WordPress.org plugin repository — although that doesn’t necessarily mean they are any good! Read more about how to choose the best plugins for WordPress.

Another wonderful feature of WordFence is that it also automatically scans your website for viruses and unauthorised modifications and emails you if it spots a problem. If it finds anything it’ll show you what’s changed and let you roll back to a known safe version.

Defence in depth, security in layers

These 10 security tips are a great start for beginners, but if you’re already comfortable with these recommendations, stay tuned! We’ll shortly be posting a set of intermediate security measures you can implement to tighten up your WordPress security even more.

Are you having trouble with anything in this tutorial? Or maybe you are afraid your site may have been hacked? Perhaps you’d just like somebody to analyse your website for security and performance? Why not get in touch and we’ll put together a plan to help.

Featured image by CarbonNYC (Own work) [CC BY-SA 2.0], via Flickr

Tagged with: // // // // //
Ian Pegg avatar
Ian Pegg
Web designer and PHP developer with 15 years commercial experience. Ian is a WordPress specialist who has also built websites from scratch, managed a diverse portfolio of commercial digital properties and worked as a full-stack developer for a high-profile question and answer website.Ian is the founder and director of EggCup Web Design Ltd., based in Norwich, UK.